Sun. Jan 19th, 2020

MalwareHunterTeam found new SectopRAT trojan horse

2 min read

Recently, the security research team MalwareHunterTeam said it discovered a new Trojan horse program SectopRAT. This Trojan can be used to control browser sessions on infected computers, change browser configuration, and disable security measures.

It is understood that the malicious program is mainly compiled by C#, including a RemoteClient.Config class, which has four values ​​that can be configured: IP, retip, filename, and mutexName. The researchers on these four variables found that: 1. The IP variable is related to the Trojan horse’s command and control server; Second, the retip variable is designed to set up a new C2 intrusion prevention system; 3. The server can be overwritten with the “set IP” command. These defense systems; Fourth, Filename, and mutexName are set but are not in active use.

In addition, the researchers also found that the software seems to have some shortcomings: First, the use of hard-coded paths without environment variables to access the system files; Second, a command to obtain compiled decoder information has not been completed. ​

The researchers said that despite some obvious flaws in the program, the techniques involved in the program indicate that the attacker has a level of expertise, so experts suspect that the Trojan may be just a test product.